6 Replies Latest reply on Oct 15, 2008 8:04 PM by javidjamae

    Invalid User on EJB authentication (JBoss 5 CR2)

    javidjamae

      I'm trying out JBoss 5 CR2. I have an EJB application that uses dynamic login config. The application seems to deploy fine, and my security configuration is correct, because I can access the application from a Web interface.

      But when I try to authenticate with the same user from a remote EJB client, I receive the following error:

       [java] javax.ejb.EJBAccessException: Invalid User
       [java] at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:135)
       [java] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
       [java] at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41)
       [java] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
       [java] at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106)
       [java] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
       [java] at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:65)
       [java] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
       [java] at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67)
       [java] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
       [java] at org.jboss.ejb3.stateless.StatelessContainer.dynamicInvoke(StatelessContainer.java:462)
       [java] at org.jboss.ejb3.session.InvokableContextClassProxyHack._dynamicInvoke(InvokableContextClassProxyHack.java:56)
       [java] at org.jboss.aop.Dispatcher.invoke(Dispatcher.java:91)
       [java] at org.jboss.aspects.remoting.AOPRemotingInvocationHandler.invoke(AOPRemotingInvocationHandler.java:82)
       [java] at org.jboss.remoting.ServerInvoker.invoke(ServerInvoker.java:908)
      ...
      


      My client is just doing this:
      SecurityAssociation.setPrincipal(new SimplePrincipal(principal));
      SecurityAssociation.setCredential(password.toCharArray());
      
      CalculatorRemote calculator = (CalculatorRemote) ctx
       .lookup("calculator/StatelessCalculatorBean/remote");
      calculator.calculateFutureValue(1000, 20);
      


      I think this may be a bug. Any clues?

        • 1. Re: Invalid User on EJB authentication (JBoss 5 CR2)
          jaikiran

           

          "javidjamae" wrote:

          My client is just doing this:
          SecurityAssociation.setPrincipal(new SimplePrincipal(principal));
          SecurityAssociation.setCredential(password.toCharArray());
          
          CalculatorRemote calculator = (CalculatorRemote) ctx
           .lookup("calculator/StatelessCalculatorBean/remote");
          calculator.calculateFutureValue(1000, 20);
          


          I think this may be a bug. Any clues?


          Was this working on earlier versions of JBoss? I haven't seen any examples where you just do a setPrincipal and setCredential on the SecurityAssociation and access a secure bean. From what i have read, you have to do a programmatic JAAS login before accessing the secure bean.


          • 2. Re: Invalid User on EJB authentication (JBoss 5 CR2)
            javidjamae

            Yes, this was definitely working in JBoss 4.x and in the JBoss 5 Beta releases. AFAIK, all the ClientLoginModule does is set the SecurityAssociation principal and Credential.

            For example, "8.5.3.10. ClientLoginModule" in the JBoss 4 guide says:

            The ClientLoginModule is an implementation of LoginModule for use by JBoss clients for the establishment of the caller identity and credentials. This simply sets the org.jboss.security.SecurityAssociation.principal to the value of the NameCallback filled in by the callbackhandler, and the org.jboss.security.SecurityAssociation.credential to the value of the PasswordCallback filled in by the callbackhandler. This is the only supported mechanism for a client to establish the current thread's caller. Both stand-alone client applications and server environments, acting as JBoss EJB clients where the security environment has not been configured to use JBossSX transparently, need to use the ClientLoginModule. Of course, you could always set the org.jboss.security.SecurityAssociation information directly, but this is considered an internal API that is subject to change without notice.


            I'll try again using JAAS to see if there is any difference.

            • 3. Re: Invalid User on EJB authentication (JBoss 5 CR2)
              javidjamae

              I tried this using the following jndi.properties file:

              java.naming.factory.initial=org.jboss.security.jndi.JndiLoginInitialContextFactory
              java.naming.provider.url=jnp://localhost:1099
              


              I then set the following in my client:

              Properties env = new Properties();
              env.setProperty(Context.SECURITY_PRINCIPAL, principal);
              env.setProperty(Context.SECURITY_CREDENTIALS, password);
              Context ctx = new InitialContext(env);
              


              But I get the exact same issue, so I don't think its related to accessing the SecurityAssociation directly.

              • 4. Re: Invalid User on EJB authentication (JBoss 5 CR2)
                javidjamae

                OK, when I try to do it with a real JAAS login, it works.

                My client looks like this:

                SecurityAssociationHandler handler = new SecurityAssociationHandler();
                SimplePrincipal user = new SimplePrincipal(principal);
                handler.setSecurityInfo(user, password.toCharArray());
                LoginContext loginContext =
                 new LoginContext("myClientDomain", (CallbackHandler) handler);
                loginContext.login();
                InitialContext ctx = new InitialContext();
                


                I create a auth.conf file that looks like this:

                myClientDomain {
                 org.jboss.security.ClientLoginModule required;
                };
                


                And I specified the following JVM argument on my client:

                -Djava.security.auth.login.config=/full/path/to/auth.conf
                


                It seems like the SecurityAssociation way and the ClientLoginModule way do not work. Is this a bug, or do you have to do it using JAAS in JBoss 5?

                • 5. Re: Invalid User on EJB authentication (JBoss 5 CR2)
                  alrubinger

                  You might try asking on the Security User's Forum; we leverage their components for EJB3 Security.

                  S,
                  ALR

                  • 6. Re: Invalid User on EJB authentication (JBoss 5 CR2)
                    javidjamae

                    Thanks, I posted this message on the security forum to see if I get an answer:

                    http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4182527